Well, you can _if_ the IMSI or APN appear always at the same place in
the packets. This is a little bit "dangerous" as you might exclude some
packets that are valid (that is with the right IMSI or APN).
As I don't know the transport you are using, here is an example:
ip[12:4]=0x0F80AEBE
Will check that 4 bytes of IP layer, starting at byte #12 (12, 13, 14
and 15 - 4 bytes) have the value 0F80AEBE.
You can only check 1, 2 or 4 bytes at a time - but you can combine
filters:
ip[12:4]=0x0F80AEBE & ip[16:4]=0x0F80AEBC
Note that counting starts at 0.
Hope this helps.
Olivier.
> I dont think you can specify a capture filter this detailed.
> You can do it in ethereal in a display filter but the
> capturing will include a lot more.
>
> On 12.02.2006, at 13:30, Ofer Gafni wrote:
>
> >
> > Hi all ,
> >
> > Does anyone knows how to filter via tcpdump , a certain IMSI or APN
> > messages (GTP)?
> >
> > Thanks in advance!
> >
> > Ofer
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
>
>
> Andreas Fink
> Fink Consulting GmbH
>
> ---------------------------------------------------------------
> Tel: +41-61-6666332 Fax: +41-61-6666331 Mobile: +41-79-2457333
> Address: Clarastrasse 3, 4058 Basel, Switzerland
> E-Mail: afink@xxxxxxxxxxxxxxxxxx
> Homepage: http://www.finkconsulting.com
> ---------------------------------------------------------------
>
> ICQ: 101946485 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink
> Yahoo: finkconsulting SMS: +41792457333
> PGP9: 0714 DF2B A189 A760 6201 5CBD D040 3E71 4DAF 68BB
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>